STIGQter: STIG Summary: zOS Websphere Application Server for TSS STIG Version: 6 Release: 1 Benchmark Date: 11 Mar 2020:

The CBIND Resource(s) for the WebSphere Application Server is(are) not protected in accordance with security requirements.

DISA Rule

SV-7266r3_rule

Vulnerability Number

V-3899

Group Title

ZWAS0030

Rule Version

ZWAS0030

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Ensure the following items are in effect for CBIND resource protection:

1) The CB. resource is owned appropriately in the BIND resource class.

For Example:
TSS ADD(cbowner) CBIND(CB)

2) Access to the CB.BIND.server_name and CB.server_name resources is restricted to WAS server (STC) ACIDs and systems management ACIDs (e.g., WebSphere administrator ID).

For Example:
The WebSphere administrator ID needs read authority to the CB.BBOASR1 and CB.BIND.BBOASR1 servers:

TSS PERMIT(was_admin_acid) CBIND(CB.BBOASR1) ACCESS(READ)
TSS PERMIT(was_admin_acid) CBIND(CB.BIND.BBOASR1) ACCESS(READ)

NOTE: When adding a new server, all systems management userids (e.g., WebSphere administrator ID) must be authorized to have read access to the CB.server_name and CB.BIND.server_name resources.

Check Contents

a) Refer to the following reports produced by the TSS Data Collection and Data Set and Resource Data Collection:

- TSSCMDS.RPT(WHOOCBIN)
- TSSCMDS.RPT(WHOHCBIN)
- SENSITVE.RPT(WHOHCBIN)

b) Ensure the following items are in effect for CBIND resource protection:

1) The CB. resource is owned appropriately in the BIND resource class.

2) Access to the CB.BIND.server_name and CB.server_name resources is restricted to WAS server (STC) ACIDs and systems management ACIDs (e.g., WebSphere administrator ID).

c) If all items in (b) are true, there is NO FINDING.

d) If any item in (b) is untrue, this is a FINDING.

Vulnerability Number

V-3899

Documentable

False

Rule Version

ZWAS0030

Severity Override Guidance

a) Refer to the following reports produced by the TSS Data Collection and Data Set and Resource Data Collection:

- TSSCMDS.RPT(WHOOCBIN)
- TSSCMDS.RPT(WHOHCBIN)
- SENSITVE.RPT(WHOHCBIN)

b) Ensure the following items are in effect for CBIND resource protection:

1) The CB. resource is owned appropriately in the BIND resource class.

2) Access to the CB.BIND.server_name and CB.server_name resources is restricted to WAS server (STC) ACIDs and systems management ACIDs (e.g., WebSphere administrator ID).

c) If all items in (b) are true, there is NO FINDING.

d) If any item in (b) is untrue, this is a FINDING.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

3361

Comments